Sending it to syslog with log-facility=/var/log/syslog?
Oh I see, removing log-facility in 01-pi.hole.conf does send it to syslog, that will solve it!
Okay, I'm still not sure why that would send it to some
but I guess you configured that elsewhere.
Sending it syslog via local0 , and rsyslog takes care of the rest.
I will try write a nice rule that can be placed in /etc/rsyslog.d/ that can be used for sending logs from pihole to a remote syslog server.
Dear wioxjk,
1)
Observation:
Most GNU/Linux distros use the package rsyslogd as the system logging service.
Check for /etc/rsyslog.conf
2)
Observation:
By default, dnsmasq sends its log lines to the system log service,
unless commanded otherwise.
The default dnsmasq configuration has log-facility=DAEMON
(Read the dnsmasq manpages)
The original Pi-hole developer decided to override the default with log-facility=[A-FILE-NAME]
3)
Possible HowTo:
Make /etc/dnsmasq.d/99-pihole-log-facility.conf containing:
log-facility=DAEMON
to over-override Pi-hole's configuration.
No need to tamper with /etc/dnsmasq.d/01-pihole.log
since it does NOT "belong" to you.
Just "comment" the "log-facility=" statement there.
4)
Possible HowTo:
Make /etc/rsyslog.d/11-dnsmasq-pihole-log.conf containing something like the following:
##########################################################################
# #
# This file is : /etc/rsyslog.d/11-dnsmasq-pihole-log.conf #
# #
# Debian based distros : #
# #
# /etc/rsyslog.conf contains : #
# #
# $IncludeConfig /etc/rsyslog.d/*.conf #
# #
# Caution : #
# rsyslog includes all the files, #
# and then evaluates the resulting config #
# #
# Warning : #
# rsyslog inserts the HOSTNAME in the new log line, #
# between the log date and the log programname #
# #
##########################################################################
#
#
##########################################################################
# #
# rsyslogd filter file #
# #
##########################################################################
#
#
#------------------------------------------------------------------------#
# Filter A : Send ALL dnsmasq loglines to a log destination. #
# For remote : adapt and UN-comment the remote destination. #
#------------------------------------------------------------------------#
#
if ( $programname == "dnsmasq" )
then {
/var/log/pihole/dnsmasq.pihole.full.log
# @myremotelogmachinedomainnameORmyremotelogmachineIPaddress (UDP)
# @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
#
#
#
#------------------------------------------------------------------------#
# Filter B : Send ONLY the DNS queries to a log destination: #
# For remote : adapt and UN-comment the remote destination. #
#------------------------------------------------------------------------#
#
if ( $msg contains "query[A" )
then {
/var/log/pihole/dnsmasq.pihole.query.log
# @myremotelogmachinedomainnameORmyremotelogmachineIPaddress (UDP)
# @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
# For the count of the DNS queries = Use :
# wc -l /var/log/pihole/dnsmasq.pihole.query.log
}
#
#
#
#------------------------------------------------------------------------#
# Filter C : Send ONLY the BLOCKED domains to a log destination. #
# Variation (1) : test the presence of "gravity.list". #
# For remote : adapt and UN-comment the remote destination. #
#------------------------------------------------------------------------#
#
if ( $msg contains "/etc/pihole/gravity.list" )
then {
/var/log/pihole/dnsmasq.pihole.blocked.log
# @myremotelogmachinedomainnameORmyremotelogmachineIPaddress (UDP)
# @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
# For the count of the blocked domains = Use :
# wc -l /var/log/pihole/dnsmasq.pihole.blocked.log
}
#
#
#
#------------------------------------------------------------------------#
# Filter D : Send DNS queries and BLOCKED domains to a log destination. #
# Variation (2) : test the pihole IP address. #
# This captures the wildcard domain names also. #
# For remote : adapt and UN-comment the remote destination. #
#------------------------------------------------------------------------#
#
if ( $msg contains "query[A" or $msg contains "is 10.2.1.47" )
then {
/var/log/pihole/pihole.log
# @myremotelogmachinedomainnameORmyremotelogmachineIPaddress (UDP)
# @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
}
#
#------------------------------------------------------------------------#
# End of Filters B C D #
#------------------------------------------------------------------------#
#
#
#
#------------------------------------------------------------------------#
# Since we have the dnsmasq loglines in our our logs now : #
# Do NOT log the dnsmasq loglines in the system log. #
#------------------------------------------------------------------------#
#
stop
}
#
#------------------------------------------------------------------------#
# End of Filter A #
#------------------------------------------------------------------------#
#
#
#
##########################################################################
# #
##########################################################################
Your preferences may vary. 
Note to the pi-hole developers: these filters work faster than faster than light 
Grtz, F.C.
3 Likes
I'm a physicist in real life. I tell you: They cannot!
FTL is (by definition!) the best approach 
1 Like
Rsyslog can read a flat file as well. See
Not as fancy as filters, but we can add a tag I used 'pihole:' as my tag. In the lab I got data to the /var/log/syslog, ( ubuntu os )
JB
I know that this is an old post, but hopefully I can use this instead of opening a new post.
Does the pihole/pihole docker image have the ability to use syslog natively, There are no references to it in the supervisor or in init.d?
Motivation: I want to send my pihole logs to elasticsearch (ELK) and visualize the spread on grafana / kibana.
1 Like
Possible HowTo:
Make /etc/dnsmasq.d/99-pihole-log-facility.conf containing:
log-facility=DAEMON
to over-override Pi-hole’s configuration.
No need to tamper with /etc/dnsmasq.d/01-pihole.log
since it does not “belong” to you.
Just “comment” the “log-facility=” statement there.
1 Like
Thank you for the great work with pi-hole!
I would like to request an enhancement, allowing for DNS call logging to a remote logger, via the gui. The intent would be to have long term (historic) archiving of all DNS calls (with check boxes for the to enable/disable log types). With this feature, it will allow for the query of dns names and/or ip's, for correlation purpose (via my SIEM solution).
In a corporate environment, if there is a defined logging setup option, for compliance/audit purpose, there will potentially be a higher adoption rate from that perspective (auditors want screenshots of where in the gui the logger is setup).
Thank you in advance.
1 Like
When conceptually looking at the application, how much effort would be needed to complete the above?
if all you are looking for is pure logs the file located at /etc/pihole/pihole-FTL.db is likely the data you need
Not necessarily a huge amount of effort, but since only a few people would work on it in their spare time, it would take a while. Also, we are currently busy with v4.1 and v5.0, which do not have plans for this functionality.
Add a syslog forwarder as an option for all request, passed or blocked
I tried several things found on the internet, but nothing worked.
is it possible to help me in this?
It doesn't work well with the rsyslog service - it never attends the logs from "/var/log/pihole.log" - however the FTL ones are sent.
Forward logs to remote server
local0.* action(type="omfwd" target="10.172.211.15" port="1514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")
Define extra log sources:
module(load="imfile" PollingInterval="30")
input(type="imfile" File="/var/log/pihole.log"
Tag="pihole"
severity="info"
Facility="local0")
input(type="imfile" File="/var/log/pihole-FTL.log"
Tag="pihole-FTL"
severity="info"
Facility="local0")
This would be a very nice option especially for Synology NAS owners. Synology has a syslog server that receives logs via port 514 and archives them. I know TP-Link access points are capable of sending their logs to a log server and it would be nice if pi-hole could do the same.
You should be able to do that now with rsyslog. Have you tried that approach yet?
Dan, thanks for your excellent suggestion. I got it working as follows:
-
In
/etc/rsyslog.confadd:module(load="imfile") #provides way to convert text to syslog -
Uncomment 4 lines for
imudandimtcpin/etc/rsyslog.conf:module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="514") -
Add the remote log server IP and port to
/etc/rsyslog.conf:
Specify your log server IP and port * . * @192.168.0.34:514
Note: Look up the syntax. My exact statement caused odd formatting in my post so I tweaked it.
-
Create
/etc/rsyslog.d/pihole.confwith these lines:$InputFileName /var/log/pihole.log $InputFileTag pihole $InputRunFileMonitor $InputFilePersistStateInterval 1000 -
Optionally create
/etc/rsyslog.d/piholeftl.confwith these lines:$InputFileName /var/log/pihole-FTL.log $InputFileTag pihole-ftl $InputRunFileMonitor $InputFilePersistStateInterval 1000 -
Restart rsyslog --
systemctl restart rsyslog -
It's probably necessary to set “Network at boot” in the raspi-config system options so that NAS access is available when the Pi comes up. I had already done this for automated backups to my NAS.
My imfile setup evidently uses "legacy configuration directives" but I'm not about to change it since they work.
The Synology NAS log server can be configured for either UDP or TCP. I suppose the setup can be done with either imudp or imtcp depending on how you configure things. I'm using UDP on the NAS side.
I did have to tweak a NAS log center setting that spits out a warning if you exceed a "loggings per second" threshold. Mine was 10 by default and I bumped it to 150. That's not a PI-HOLE issue, just an FYI for NAS owners.
Its actually better to do this via rsyslogd since my NAS log archive now includes additional Pi system info (such as sudo sessions and commands) along with my pihole log.
Again, thank you very much for your suggestion to use rsyslog.
UPDATE: Much to my chagrin, the rsyslog approach worked fine up to a point, then it stopped sending pihole.log records. I believe the problem relates to the rsyslog imfile module which uses something called imfile-state files to keep track of which parts of the monitored log file have already been processed. The imfile doc states that it supports file rotation but it seems to have problems in that area. I stopped pihole-FTL, stopped rsyslog, removed all pihole logs, then restarted pihole-FTL and rsyslog. The log records are once again being handled correctly, but I expect that to fail at some point (midnight perhaps). I have an rsyslog debug file set up to get more diagnostics. It may be a few days till I can investigate further.
UPDATE 2: Forgive my frequent editing. I checked this morning and the pihole log records on the NAS side ended at 23:58:12 just before pihole midnight log file processing occurred. Evidently whatever happens then is confusing the rsyslog imfile positioning in the file being monitored. It's possible the imfile reopenOnTruncate will help, but it's going to be a few days till I can try it out.
2 Likes